Fix Guide

How to Fix Cookie Security Flags

One or more cookies are missing Secure, HttpOnly, or SameSite protections.

Safe public URL scan. Results include technology evidence, SEO checks, security headers, accessibility basics, and a developer fix list.

Recommended fix

Set Secure, HttpOnly, and SameSite where appropriate for session, auth, and preference cookies.

This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.

Developer task

Update cookie-setting code or framework config; validate Set-Cookie headers on HTTPS responses.

Implementation steps

How to apply this fix

  1. Identify the cookies missing Secure, HttpOnly, or SameSite from the Set-Cookie headers.
  2. Add Secure so cookies are only sent over HTTPS.
  3. Add HttpOnly to session/auth cookies that scripts do not need to read.
  4. Set an appropriate SameSite value (Lax or Strict) for the cookie purpose.
  5. Update framework config or cookie code and re-scan the HTTPS response to confirm flags.
Verify

Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.

Related guides

Continue the same website quality workflow.